What should I do about a Ransomware attack?
This article talks about the threat of Ransomware and answers the question “What should I do about a Ransomware attack”. Ransomware proliferates through these main attack vectors:
- Spam/Social engineering
- Direct drive-by-download
- Drive-by-download through malvertising
- Malware installation tools and botnets
After cracking the machine via one of the attack vectors, the ransomware looks for content to lock down. For example, CryptoLocker encrypts 70 different file types.
A key is then generated for each file and used to cypher the data. This process ensures that the file is unusable, and the data is lost without a decrypt key.
A message is displayed on the screen telling victims that they need to pay up to recover their files, using virtual currencies, otherwise the files will be deleted.
Once the victim sends the money, the decrypt code is sent. This happens in most cases. However, this does not mean that the computer is safe from reinfection, the ransomware will still be on the system, and we do not know as yet what this means for users.
Ransomware has gone through many different variations, such as CryptoLocker, TorLocker, BitLocker and others.
The first ransomware samples used asymmetric encryption (RSA), requiring public and private keys for data verification and decryption. The decryption keys were stored on remote servers and sent to victims only after they had paid.
Ransomware uses the Tor network, a network which was originally built for people to surf the web anonymously, however it has been used more and more by criminals.
Infected Windows computers would send encrypted data back to the malicious server on the Tor network, making it extremely difficult for law enforcement and security companies to take down the entire operation. Ransomware has also started to target the Linux operating system, effectively encrypting files stored on webservers, such as webpages.
Monetisation and profitability has always been the main focus of ransomware developers and in 2016 they’ll probably reach stellar conversion rates from successfully targeting small and medium businesses.
What should I do about a Ransomware attack
- Secure the perimeter, interior & guard against social engineering and employee theft
- Multi-layered security
- Cloud Services
- Workstations – Desktops and Laptops
- BYO Laptop & Smartphone devices
- Maintenance Plan
- Security Monitoring
- Disaster Recovery & Planning
- Security Audit
- Multi-layered backup – backup is not a get out of jail free card
- Standard Operating Environment / locked down systems
- BYO computing policies and lockdown systems
- IT Policies & Procedures
- Organisational Risk Management Framework
- Cybersecurity Insurance
- 2-factor authentication
- Staff education and training